On Tue, 14 Sep 2010 08:25:02 -0500, Terry <td3201@xxxxxxxxx> wrote: > On Tue, Sep 14, 2010 at 1:52 AM, Isaac NickAein <nickaein.i@xxxxxxxxx> > wrote: >> How about Digest authentication? >> >> Does digest is as weak as NTLM? Digest has security-level extensions that can be dialed from "session" equivalent to a slightly safer Basic auth, all the way up to the latest brand new encryption nobody has heard of yet. I mention Kerberos as its a polished up replacement for NTLM and within the NTLM admins confort zone. >> >> and another question: >> >> Is it possible to use Kerberos (actually Negotiate) protocol for squid >> user authentication in a network without any Active Directory or >> Domain? Credentials to where? Someone called foo sends you a key "fob". With what reason do you trust them? In theory yes. Reality? not sure. It is possible to use Kerberos on a ZeroConf network provided the machines all know each others keys before connecting. The old NTLM domain-less helper was a domain server in its own right, which Squid was running and therefore could trust. Remember that horrible double-407 handshake in you access.logs? the first 407 was Squid fooling the client into trusting it as they would a Domain server. >> >> On 9/14/10, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >>> On Mon, 13 Sep 2010 11:28:13 -0500, Terry <td3201@xxxxxxxxx> wrote: >>>> I have a working NTLM implementation in place and it works great from >>>> yum and wget for example. However, when I try to use squid from IE8, >>>> it prompts for password and I never see the credentials hit squid, >>>> just this for example: >>>> 1284395121.846 0 10.8.1.100 TCP_DENIED/407 1798 GET >>>> http://google.com/ - NONE/- text/html >>>> >>>> I have added google.com to IE's local intranet zone and gave that zone >>>> low priority so I am not sure where the problem lies. Here's my >>>> configuration: >>>> >>>> auth_param ntlm program /usr/bin/ntlm_auth >>>> --helper-protocol=squid-2.5-ntlmssp >>>> --require-membership-of="DOM\\proxyusers" >>>> auth_param ntlm children 5 >>>> auth_param basic program /usr/bin/ntlm_auth >>>> --helper-protocol=squid-2.5-basic >>>> --require-membership-of="DOM\\proxyusers" >>>> auth_param basic children 5 >>>> auth_param basic realm Squid proxy-caching web server >>>> auth_param basic credentialsttl 5 hours >>>> >>>> acl NTLMUsers proxy_auth REQUIRED >>>> http_access allow all NTLMUsers >>>> >>>> I can test fine from the squid server: >>>> [root@proxy01a squid]# ntlm_auth --helper-protocol=squid-2.5-basic >>>> DOM\jmama password >>>> OK >>>> >>>> What am I missing? >>> >>> The fact that NTLM has been obsolete for 8 years now? It's encryption >>> schemes were demonstrated to be decrypted in under 15 minutes with a >>> standard consumer desktop as of a year or so ago. >>> Microsoft have declared is deprecated in favor of Kerberos back in the >>> early stages of Vista and all their newer software attempts to do >>> Kerberos >>> instead. IE8 and Windows 7 are known to have NTLM fully disabled by >>> default, with some hoop-jumping needed to open up those hole again. >>> >>> *Please* look at upgrading your network to Negotiate/Kerberos. It's much >>> more secure, faster and very much less resource hungry than NTLM. >>> >>> Amos >>> >> > > Clearly I'm not up to par on my authentication technologies. If it's > that old, why is it still an example on the website? I'll check into > Kerberos as I use that in other areas for linux/windows > authentication. Because IE6 and WinXP servers are dying off so slowly and some people still need it. Amos
